Upload
jay-tikam
View
105
Download
2
Embed Size (px)
DESCRIPTION
Governance, Risk and Compliance (GRC) is a multibillion-dollar industry worldwide and signs are that it’s growing. A 2009 AMR Research Inc. study found that US companies were expected to spend $29.8 billion on GRC across software ($9.2bn), external services ($6.6bn) and internal efforts ($14.0bn). Risk management followed by regulatory compliance was sighted as the key driver for the expenditure. Despite the significant level of investment, apart from pockets of excellence, few financial services firms seem to have benefited significantly. More than five years after the financial crisis, spurred by a massive failure in risk management, it appears that lessons have not been learnt. In a 2012 study, the Chartered Institute of Internal Auditors (CIIA) found that 60% of fines levies by FSA in 2011 were down to weaknesses in risk management systems. A significant transformation is needed in the way organisations assess and manager risks. They need to realise for themselves that risk management matters, and not let regulators dictate the risk agenda. On a positive front however, there is growing evidence that firms see effective risk management as a means to enhanced reputation, greater competitiveness and market share. RIsk management and strong ethical behaviour is key to winning over consumer confidence in the financial services sector. This does however mean that risk management organisations need to reassess and realign strategies, processes and infrastructure to deliver value at reduce costs, thereby enhancing return on investment. As a start to the debate, and by way of examples, this paper explores five strategies that will help organisations gain more commercial value from their risk management efforts (across all lines of defence), whilst improving process efficiencies and reducing costs.
Citation preview
Achieving Risk Mastery
5 Key Strategies
to an efficient, cost effective and value adding Risk Function
BUSINESS & RISK CONSULTING
2
Contents
Risk Management in the Spotlight ` 3
Risk & Compliance Functions Under Increasing Pressure 4
10 Questions Boards should be asking themselves 5
Risk Mastery -‐ Key Strategies for Risk Transformation 6
1. Realigning to the New Normal 7 2. Reducing Costs 8 3. Enhancing Operational Efficiencies 10 4. Enhancing value added by the Risk Function 11 5. Taming the Regulatory Tsunami – Proactive Compliance 12
What are the Next Steps 13
3
“It takes 20 years to build a reputation and 5 minutes to ruin it and if you understand this you will
do things differently” Warren Buffet
Risk Management in the Spotlight A need for transformation
121
Risk & Regulatory Management in the
Spotlight
Governance, Risk and Compliance (GRC) is a multibillion-‐
dollar industry worldwide and signs are that it’s growing.
A 2009 AMR Research Inc. study found that US companies
were expected to spend $29.8 billion on GRC across
software ($9.2bn), external services ($6.6bn) and internal
efforts ($14.0bn). Risk management followed by
regulatory compliance was sighted as the key driver for
the expenditure.
Europe would be expending around the same level
investment to deal with risks and meet regulatory
requirements. Indeed, just for Solvency II alone, the
Financial Services Authority estimated that UK insurers
would be spending £3bn on implementation alone, over
and above ongoing costs of between £200 million and
£400million annually.
2
Despite the significant level of investment, apart from
pockets of excellence, few financial services firms seem to
have benefited significantly. In a 2012 study, the Chartered
Institute of Internal Auditors (CIIA) found that 60% of fines
levies by FSA in 2011 were down to weaknesses in risk
management systems.
In light of the current economic environment, Boards are
putting significant pressure on risk managers to show
measurable return on investment. No longer can risk
functions justify their existence by simply preventing
losses and ”keeping regulators at bay”.
On a positive front, there is growing evidence that firms
see effective risk management as a means to enhanced
reputation, greater competitiveness and market share.
This does however mean that risk management
organisations need to reassess and realign strategies,
processes and infrastructure to deliver value at reduce
costs, thereby enhancing return on investment.
4
.
The Risk and Compliance Functions are under
significant pressure from various stakeholders,
including the Board, Business Unit Customers,
Insurer’s Customers and Regulators:
1. Transforming to the changing risk and
regulatory landscape. Financial services firms
are having to deal with the “new normal”; new
emerging risks, new scenarios previously
considered implausible (including sovereign
failure), and a constantly evolving regulator (in
UK, for example the creation of PRA and FCA)
and regulation. The Risk & Compliance
Function also has a role to play in winning over
customer confidence in financial services firms.
2. Pressure to add more value. Risk and
Compliance Functions are under significant
pressure to enhance return on investments,
and adding demonstrable value to overall
business performance – or optimizing
Risk/Return to enhance balance sheet
performance. No longer is the Board and the
business content with the Risk Function
keeping the regulators at bay and preventing
down side risk only.
3. Lean Risk & Compliance Functions. As Risk &
Compliance Functions reach maturity,
performance improvement and cost
containment become key priorities, whilst
ensuring value built thus far is not diluted.
These Functions are looking for new ways to
streamline and integrating process, leverage
automation, embed risk management into
business process and explore new sourcing
options to leverage economies of scale.
Risk & Compliance Functions Under Increasing Pressure
4. Coping with Regulatory Tsunami. In
response to the financial crisis, the volume of
regulation and regulatory guidance (including
speeches and announcements) has increased
exponentially. Firms are finding it s great
challenge just to keep on top of regulatory
developments, let alone ensure compliance
5. Awakening to the implication of more
frequent and resource intensive reporting.
Senior management and regulators demand
greater level of reporting to enhance
transparency in the hope that any impending
danger is highlighted early and mitigation
actions taken before risks materialize. Solvency
II for example requires an annual Solvency and
Financial Condition Report (SFCR), quarterly
Returns to Supervisors (RTS), and Own Risk and
Solvency Assessment Reports (internally and to
the regulator), and specific reports on an ad-‐
hoc basis following a material event. The level
and frequency of reporting puts added
pressure on the Risk & Compliance Function.
The changing economic and regulatory landscape
coupled with the internal pressures being places on
the Risk & Compliance Functions, requires them to
transform and adapt to the new normal.
Transformation will follow a journey of continuous
improvement as these Functions evolve into a
critical business enhancing functions that financial
services firms cannot do without.
5
1
1. What does risk management mean to us as a Board?
2. Are we as a Board and collectively as a company effective in identifying,
measuring and managing risks?
3. Do we know what value we get out of our risk management organisation?
What value should we be getting and how does it compare with our peers?
4. Is my Risk Function effective in helping us stay on top of risks?
5. What is my total cost of risk? What is the optimal cost of risk as a percentage
of gross revenue? Where do we stack up against our competitors?
2
6. What are my key risks? How can I be assured that there are no unknown or
ignored risks lurking in my organization?
7. Are we taking the right amount of risks?
8. Are people in our organization risk aware? Do we encourage the right risk
taking behaviours?
9. Is risk management integrated naturally into our business or is the framework
divorced from how risks are actually dealt with at the cold face
10. Are we receiving the right risk information in a timely fashion?
10 Questions Boards should be Asking Themselves
6
Risk Mastery Key Strategies for Risk Transformation
Achieving Risk and Compliance mastery has to be the
prime goal for orgnaisations that want demonstrable
commercial value from their Risk and Compliance
Functions, at reduced cost and with enhanced process
efficiency. For organisations achieving risk mastery, the
benefits could be significant. Some example include:
• Anticipation and proactive management of new
and impending events that could dilute risk
adjusted return on capital, profitability and
reputational value;
• An aggregate risk view highlighting specific areas
where greater risk taking could maximize upside
by stopping unnecessary value leak;
• Controls automatically embedded into the most
detailed level processes greatly minimizing errors
leading to losses, customer redress issues or
regulatory fines; and
• Regulatory developments are automatically
tracked and mapped processes enables quick
planning and execution of regulatory change.
To improve return on investment in risk and compliance
initiatives require:
• Adding more value or achieving more with the
same cost base;
• Adding more value through greater risk taking
and thereby enhancing risk adjusted return on
capital; and
• Reducing the total cost of risk management by
reducing unit cost of the Risk and Compliance
Function, and reducing losses incurred from
known and unknown risks.
Costs and process efficiencies are easier to quantify and
should be the natural starting point, exploiting as many
“low hanging fruits” as possible. Value generated by risk
and compliance is sometimes harder to quantify, although
clear examples will be presented in this paper. Enhancing
value is often a medium term goal achieved over time.
5 Key Strategies are explored to enhance value, improve
process efficiency and reduce costs:
1. Realigning to the new normal and tighten up risk
management
2. Reducing costs
3. Enhancing process efficiency through systems
integration
4. Enhancing value added by the Risk Function
5. Taming the Regulatory Tsunami – proactive
compliance
7
“When you change the way you look at things, the things
you look at change” Wayne Dyer
1
The world is constantly evolving and so are risks and opportunities confronting financial services orgnaisations. Leading ones are nimble, can foresee and understand impact of new emerging risks and re-‐aligning to ensure that priority is given to the right risks and blind spots / unknown risks are avoided. If successfully achieved, this can add significant value. Enron, Lehman, BP, Blackberry and Arthur Andersons are only a few example of how undiscovered or un-‐managed risks can either wipe out an entire organisation (no matter its size) or significantly erode market value (e.g. Blackberry).
The risk landscape is changing. Already as early as 2007, in a study carried out by the Economist Intelligence Unit, (involving a survey of 200 major orgnaisations) participants indicated that risks related to human capital, reputation and regulatory compliance were most threatening, while traditional quantifiable risks, such as financial risk, credit risk and foreign exchange risk as least threatening
In AON’s annual Global Risk Management Survey 2013, (involving more than 1,400 respondents) top risks included economic slowdown/slow recovery, regulatory & legislative Change, and Damage to Reputation and Brand. Counterparty credit risk was ranked 20th and Interest rate fluctuations ranked 31st. AON felt that computer crimes/viruses/malicious hacking (ranked 18th), social media
(ranked 40th) and pension risk funding (ranked 47th) were
potentially underestimated as they all had a potential for significant concern.
Martin Wheatley, Head of Financial Conduct Authority in the UK, in a recent speech stated that they would be focusing on Behavioural Economics, taking consideration of the human element of risk management both on the part of the financial services firm and their customers.
Without the realignment, the organisation is increasingly exposed to new and unmanaged threats, while the opportunity to optimize cost of well-‐managed risks is lost.
2
3 Key Strategies to Aligning Risk Management
1. Get a comprehensive understanding of risks Review the risk universe regularly to unearth unmanaged and unknown risks. Using this same exercise, also identify risks that are well managed. This exercise will help to realign resources, present areas where cost savings can be made, and highlight areas where new capabilities need to be developed. In practice, successfully executing such strategies require a comprehensive and well coordinated approach across all areas and levels of the organisation, supportive information technology, an embedded risk culture and cohesion between functions (breaking down existing silos).
2. New Risks require New Alliances The benefits of Risk and Finance integration are well known and much activity directed at driving efficiencies and synergies between these two areas. New emerging risks around people and reputation require new collaborative activity between the Risk and Compliance Function and Human Resources as well as Corporate Communications, for example. Closer link with the Strategy Department is also paramount given the strategic nature of emerging risks, which if materialized, could shake the very existence of the organisation regardless of size /.
3. Regulatory Engagement UK firms need to develop a new engagement model to respond to the “Twin Peaks” model involving the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA). A proactive and active engagement model will help build the regulator’s trust resulting in a hopefully less intrusive approach. This could lower regulatory risk management costs and minimize disruptions caused by regulatory interventions.
1. Realigning to the “New Normal” and Tightening Up Risk Management Effort
Top 10 Risks 1. Economic Slowdown / Slow Recovery
2. Regulatory / Legislative Change
3. Increasing Competition
4. Damage to Reputation / Brand
5. Failure to attract and retain top talent
6. Failure to innovate / meet customer need
7. Business Interruptions
8. Commodity Price Risk
9. Cash flow / Liquidity Risk
10. Political Risks / Uncertainties
AON Global Risk Management Survey 2013
8
What does risk and management of these risks cost my
organization? Often, a question that most organisations
would find difficult to answer. Measuring this cost would
help to assess return on investment and support efforts to
introduce cost efficiencies. How is cost measured?
Expanding on AON’s concept of Total Cost of Risk (TCOR),
costs can be quantified by adding:
• Cost of loss, including regulatory fines, loss
caused by errors (investment loss or customer
redress for example) and retained risks if they
are insured or hedged -‐ reputational risk and
opportunity costs, although difficult, would be
worthwhile quantifying somehow (even if
estimated);
• Risk mitigation costs (hedging costs and
insurance premiums)
• Internal costs including Risk & Compliance staff
and related infrastructure and other operational
costs (this would include costs across all 3 lines
of defense)
In practice, data limitations and lack of knowhow and skills
are common reasons why firms fail to measure cost of risk.
Significant benefits are available to those firms who are
able to surmount this challenge.
Although it may sound paradoxical, reducing cost can
indeed be achieved whilst improving process efficiency
and driving higher value. Cost reduction is often a catalyst
for performance improvement and efficiency gains.
3 Key Cost Reduction Strategies
1. Reducing losses.
This is a key responsibility of the Risk Function
anyway and TCOR is a great measure of its
effectiveness. Firms will need to get a good handle
on pinpointing areas where losses have occurred and
are likely to occur.
Process, systems and human related losses, as well as
regulatory fines for compliance breeches can be
minimized by embedding, where possible, automated
controls deeply within processes. This could for
example be achieved through a behaviour and rules
based technology engine through which process
would need to pass. If rules are not complied with,
the process is not executed, or flags up an approval
requirement. Such technology is in existence and
worth exploring.
2. Reducing Internal Costs
The obvious choice for most firms is to reduce
headcount. This may well be the most appropriate
strategy, however if executed without careful
planning, it could potentially dilute some of the value
that a Risk and Compliance Function would have built
up within their organisation. Innovative sourcing
models, if implemented effectively, can help to
ensure value retention (and indeed enhancement) at
a reduced cost base.
An example of a sourcing model could involve
transfer of certain Risk and Compliance Function
personnel into a third party service provider. The
deal could initially guarantee an initial level of cost
reduction with the flexibility to flex up or down.
2. Reducing Costs
High Value Support
Knowledge Centre of Excellence
Business Process Outsourcing
9
To ensure value is maximized and operational cost
optimized, we believe a three-‐tier sourcing model is
worth exploring.
Business Process Outsourcing as the base
Routine tasks such as information gathering, collating
reporting figures, producing reports based on defined
templates, are good examples of the type of non-‐core
work that can be outsourced.
Knowledge Centers
For more complex work, knowledge centers staffed
with skilled personnel can be utilized effectively and
could be a source of significant cost reduction.
Examples of work that such centers could deliver
include actuarial and quantitative processes such as
model development, model validation, data
aggregation, pricing, product development support,
etc.
High Value Support
Governance, risk management and compliance can be
a complex business. Chief Risk Officers now need to
be skilled in a multiplicity of very complex areas in
addition to having excellent stakeholder management
skills ensuring full engagement of the Board and
other key stakeholders. Many often would find it
beneficial to get advice and guidance from a
peer/coach. We believe executives would find it
helpful to be able to tap into a pool of highly skilled
and experienced peers to help resolve complex and
strategic problems. Example of areas of support
include: dealing with regulatory enforcement,
reviewing effectiveness of Boards in overseeing and
managing risks, assessing risks of entering new
markets or change in strategic direction, etc. In such
cases, executives want to ensure that they get
support from people who have relevant practical
experience, having actually executed such projects
and strategies, rather than theory based consultants.
3. Reducing cost of Insurance
Case Study: Individual business units within a large
composite insurer were allowed to determine their
own level of reinsurance required to mitigate risks.
The results on a group wide basis was that these
businesses reinsured more than what was optimal
from a risk/reward perspective. Their negotiation
power was also limited given the small scale of each
reinsurance transaction, resulting in higher prices or
reinsurance.
Solution – The Group established a centralized
captive reinsurer and all Life and General Insurance
reinsurance had to be placed via this captive.
Results – On an aggregate basis, the Group could
exploit diversification benefits and retain certain
previously reinsured risks, enhancing return on
economic and regulatory capital. The Group also had
the power to negotiate lower price of reinsurance,
given the level of volumes of business.
High Value Support
Knowledge Centre of Excellence
Business Process Outsourcing
Sourcing or Shared Service model
10
3. Enhancing Operational Efficiencies through Systems Integration
Reporting Case Study
Integrate Systems to Drive Lower Costs & Yield
Commercial Insights
Systems integration as a means to reduce costs is by no
means a new concept. Many firms have however found it
challenging to implement this in practice. A multiplicity of
systems build on different standards often makes it
challenging for data to be transferrable across systems. If
data is indeed transferrable, then data integrity is often
questionable.
Systems integration offers several business benefits:
• If data can be treated equally across different systems,
this open up potential to gain new insights cross
functions (e.g. Risk, Compliance, Finance, HR,
Products, etc.) or cross businesses.
• If regulators adopt such a standard, multijurisdictional
regulatory reporting can easily be centrally processed
with significant operational efficiency and reduced
costs.
• Accuracy of internal and external report would
improve, hence avoiding wrong decision based on
incorrect data or worse, regulatory censure for
incorrect reporting.
• Ability to easily change systems or service provides,
thereby driving competition and reducing cost.
Case Study -‐ Reporting
In the case of financial reporting, XBRL (eXtensible
Business Reporting Language) is an emerging standard
that promises to preserve data integrity across variety of
systems. XBRL is a language for electronic communication
of business and finance data. It provides benefit in the
preparation, analysis, and communication of business
information. It has robustly demonstrated cost savings,
greater efficiency and improved accuracy and reliability.
Regulators are widely adopting and mandating this
standard regulatory reporting. HMRC in UK has already
adopted this standard, so all tax filings are now done
through XBRL. 1 January 2013 was set as the deadline for
banks to use XBRL to send data to their regulator who in
turn send consolidated information to the European
Banking Authority (EBA). EBA has developed XBRL based
taxonomy in the form of COREP and FINREP reporting
standards. Similarly the European Insurance &
Occupational Pensions Authority (EIOPA) is mandating an
XBRL reporting framework for insurers to start reporting
to their regulator from 1 January 2014. XBRL adoption
will continue to accelerate given the benefits it offers.
Market estimates indicate that if implemented skillfully,
and synergies exploited, this new reporting framework
could significantly reduce processing times (up to 70% in in
some cases) and if reporting was done centrally, reduced
costs of reporting for global firms.
11
Baring some exceptions, gone are the days when financial
services firms will incur risk and compliance cost only to
satisfy regulatory requirements or merely deal with down
side risks. The Board and front line business demands
more value from their investment in the Risk Function.
So how can the Risk Function add more value to the
business? We set out 3 ways to greater value creation
1. From Risk Overseers to Risk Advisors
As overseers, the Risk Function has little chance to
add real value. Risk Functions that take a very literal
interpretation of the “2nd line of defence”, will often
be inclined to restrict themselves “wanting to remain
independent”. Business units equally would be
forgiven for viewing the Risk Function as a hindrance.
By becoming true advisors, the Risk Function could,
while maintaining independence, help and guide the
businesses in identifying and managing risks on a day-‐
to-‐day basis, and providing real time assurance to
senior management and other stakeholders. They
could also suggest opportunities for the business to
take more risks through their aggregate risk analysis.
2. Benchmarking – Giving Something Back.
As aggregators of information, the Risk Function is
ideally placed to provide useful analytics back to the
business. This data will allow business units to
benchmark themselves and strive towards improved
performance. This ought to help get greater business
buy-‐in as business is used to getting requests for
information from the business and never expecting
anything back.
3. Early Warning System – a Forward Looking
Approach
Risk is ideally placed to co-‐ordinate comprehensive
scenario analysis and reverse stress testing
exercises to help the organisation become
proactive in anticipating and mitigating risks
before they have the chance to materialize. For
this to become a reality though, the Risk Function
needs tools, capability, an intelligent team and the
bandwidth to anticipate remote and unknown
risks. Intelligent sourcing could yield this outcome
at lower costs.
4. Enhancing Value added by the Risk Function
2nd Line of Defence Analogy
Picture the Titanic sailing on a collision course with an iceberg. The Chief Risk Officer is in the lookout tower and sees what is about to happen.
Taking a pure 2nd line of defence approach, the CRO thinks to himself saying
“Mmmm, I wonder whether the captain will steer the ship to avoid the iceberg. I will watch and see whether he complies with the policies and guidelines. I can’t interfere as I need to maintain my independence.”
The Titanic sinks and the CRO (who happened to survive), reports to tribunal, pointing out the breach of policy and controls – job done.
Conversely, taking a risk advisory approach, the CRO would have shouted out to the Captain saying
“Ahoy there Captain – not my call, but I think you should steer the ship five degrees to the left as an iceberg collision is imminent if you stay on course.”
The Captain responds and steers the ship away from the iceberg. All are saved and the Captain is pleased with the warning given by the CRO.
12
“The trouble with government regulation of the market is that it prohibits capitalistic acts between consenting adults. ” ~ Robert Nozick
5. Taming the Regulatory Tsunami – Proactive compliance
In the wake of the financial crisis, regulators are stepping
up supervisory initiatives and introducing a raft of new
regulation and guidance. According to Reuters, in 2011,
there were 14,215 regulatory announcements -‐ 60 per day
on average. The announcements can include anything
from speeches to final binding rules.
Ironically, the very regulations aimed at preventing
another financial crisis are now featured in second position
in the top 10 global risks in AON’s Global Risk Management
Survey 2013. Although willing, firms are naturally
struggling to comply:
• The volume of regulatory change significantly
increases the chances of regulatory breeches
that could result in regulatory censure
(including fines) and possible reputational
damage. The ever-‐changing rules makes it
extremely challenging for front line customer
facing personnel to consistently comply –
mistakes are inevitable.
• The cost of compliance significantly increases
under the current regulatory landscape as firms
are having to skill up by recruiting more
compliance professionals and solicit help from
external third parties.
The “Twin Peaks” approach to regulation in the UK adds
further complexity and potential cost as now financial
services firms face two regulators, the Prudential
Regulatory Authority (PRA) and Financial Conduct
Authority (FCA) with different regulatory approaches.
How are leading firms dealing with Regulatory Tsunami?
Leading firms are taking a proactive stance by
leveraging the power of information technology.
Although early days, compliance solutions emerging
demonstrate the following attractive features:
• A comprehensive library of continually
updated regulation and guidance. The library
incorporates robust ontology allowing
searchability and inter-‐linkages between
regulations.
• Powerful analytic systems to analyse and
measure compliance on a real time basis. The
system uses existing data, its rules and
behaviours and information from experts.
• Detailed end-‐to-‐end processed mapped to
specific regulatory line item, allowing for
workflow development that helps to capture
evidence based documentation and key risk
and performance metrics.
Key benefits of a systems based approach include:
• Real time compliance monitoring, that
prevents breeches of regulatory rules or
internal policies and acts as early warning
system of impending breeches
• An early warning system allowing firms to
anticipate potential regulatory breeches.
• Documentary evidence tagged to regulation,
allowing for enhanced compliance monitoring
and regulatory interactions.
13
What are the Next Steps
This paper merely explores some ideas of ways in which
the Risk and Compliance Function could transform to yield
higher value at reduced costs and with improved process
efficiency.
Clearly they may well not be appropriate or relevant for
your particular needs, hopefully though, these ideas would
have stimulated thinking of the possibilities open to
organisation and their associated benefits.
Continuous improvement should be an ongoing journey
for any organisation and Risk and Compliance is by no
means an exception. Regular self assessment and
resulting programme of improvement will help ensure that
Risk and Compliance Function remain relevant and are
structured to add value rather than be a cost burden to
firms.
The transformation journey could start out with a
comprehensive diagnostic exercise informing on the
current state, including the assessment of perceived value
added, quantification of total costs and understanding
components of TCOR, and mapping current process.
The information gathered from the diagnostic phase could
be benchmarked against the more sophisticated
competitors (i.e. best practice) and regulatory
expectations.
If sufficient gaps are identified, the transformation journey
should begin with a clear picture of the end state,
quantifying at a detailed level, the desired outcomes, for
example
• internal costs reduced by 25%
• Losses reduced by 10%
• Reduction in error rates by 60%
• Reducing reporting times by two weeks,
• etc
The gaps resulting from the diagnostic phase would help
to inform a detailed implementation plan. Stakeholder
engagement is key to designing and executing the plan.
Relevant third party partners or service providers could
support execution.
Vedanvi Ltd
For more information contact:
Jay Tikam
Tel: +44 (0) 203 102 6750
Mob: +44 (0) 778 551 8471
Email: [email protected]
45 King William Street
London, EC4R 9AN
BUSINESS & RISK CONSULTING